Setting Microsoft Update to be default using a script

Windows Update in Windows Vista is wrapped in a regular window in the operating system itself rather than being opened as a web page in Internet Explorer 7. The basics are the same and it is the same underlying components in both Windows Vista and when you run Windows Update in a browser window on for instance Windows XP. Never mind, on a Vista client computer set to connect to a WSUS (Windows Server Update Services) server it will of course always check for updates there. In the Windows Update control panel on a client computer you can however choose to alternatively search for updates on Windows Update. If you deploy other software such as Office 2007 you might want to use Microsoft Update instead of Windows Update, to see if there are other updates available for Office and other Microsoft products, not only Windows.

Windows Update in Windows Vista

The reason why I want to check Microsoft Update manually from time to time us is to regularly check which updates arrive to the various client computers that can be downloaded separately and then integrated into our installation media. Since opting into Microsoft Update require administrative rights on the computers I want to set Microsoft Update somehow automatically and apparently there are still no GPO settings for this, which I find rather strange. After doing some reserach I have found the solution to automatically set that Microsoft Update will be the default instead of Windows Update. The script to add is as follows:

Set ServiceManager = CreateObject(“Microsoft.Update.ServiceManager”)
ServiceManager.ClientApplicationID = “My App”
‘add the Microsoft Update Service, GUID
Set NewUpdateService = ServiceManager.AddService2(“7971f918-a847-4430-9279-4a52d1efe18d”,7,””)

Add this to a startup or login script to make sure Microsoft Update is always default.

Celebrating Vista’s first birthday

Exactly one year ago Windows Vista Gold (RTM) was built and today we celebrate Windows Vista’s first real birthday. Looking back at when Vista was released (November 30th 2006) I can see great improvements in Vista itself, third party drivers and application compability. Still there are a few issues here and there but hopefully all issues will be resolved by Service Pack 1 and in coming drivers.

The most frustrating problem I have right now on my home computers arethat I still experience problems with the wireless network connection not being able to reconnect efter resuming from Sleep. The good news is that the bug has gotten closed with the status “fixed” so there is hope.

My without doubt most frustrating problem with my work laptop is the fact that whenever the domain is not reachable everything you do with the computer takes like 30 seconds, no matter if you start Windows Explorer, right click a file, delete a file etc. That problem lies in the kernel as documented by Mark Russinovich. There is also a problem when browsing web sites with IE7, but only if you type for instance www.theexperienceblog.com, then it takes forever to load the page and the computer just sits there as if nothing is happening. The workaround for this issue is to append http:// to the address because then the page loads instantly as expected. The latter problems are fixed in SP1, thank you for that Microsoft. Shame that it took a year to fix…

Backing up BitLocker recovery keys to Active Directory

Using BitLocker to encrypt your system partition is a very good option to keep the computer and the data on it secure. Starting with Vista SP1 you will be able to encrypt not only the system partition but all the other partitions as well, offering even better security. When you encrypt a partition with BitLocker a recovery key is automatically generated so that you can recover the data on the computer when necessary. By default you have the choice of printing the recovery key or saving it to a USB stick or a network share.

BitLocker Key Recovery ToolHowever using a group policy setting (Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Turn on BitLocker backup to Active Directory)  you can also backup the recovery key to Active Directory, which is a very good suggestion I must say. If you are running Windows Server 2008 you do not have to anything to get this working but if you would like to use Windows Server 2003 with SP1 or later to backup the BitLocker recovery key you must use scripts provided by Microsoft to extend the schema.

Microsoft also offer a tool called BitLocker Recovery Password Viewer which can be downloaded directly from Microsoft Premier Services. When this tool is installed it introduce another tab in a computer objects Properties called “BitLocker Recovery” where the BitLocker recovery keys are listed for your viewing pleasure in the case of necessary restoration. The only negative part about the tool is that it can only be installed on a Windows XP or Windows Server 2003 computer as it require that you have installed the “Window Server 2003 Administration tools for SP1” on Windows XP to get the control panel for Active Directory Users and Computers.

UPDATE: I forgot to add the link to the page where you can find all the necessary information as well as the “extend schema”-script. Here it is!

Restoring files with “Previous versions” is really easy

Windows Vista contains a built in function that is called “Previous versions” or “Shadow copies” which is based on the Volume Shadow Copy service that also handle System Restore in Windows Vista. As a matter of fact System Restore and Previous versions go hand in hand and a system restore point include “Previous versions”. Previous versions

The “Previous versions” feature means that at any time you can right click a file or folder and choose to open and/or restore the file or folder from an earlier  point in time. The great thing is that both backup copies made from scheduled backup as well as local snapshots of the files are listed when you choose to restore the files and folders.

“Previous versions” will also let you restore files that you have deleted but to be able to do so you have to open the folder in which you originally kept the deleted file. A note to take when restoring files is that if you rename a file and choose to restore an earlier copy using Previous versions you will not find any. The feature “Previous versions” locates previous versions of the file by its file name.

Also be aware of the fact that if you have a dual boot system with both Windows XP and Windows Vista, all  System Restore points (including Previous versions) are lost whenever you boot to Windows XP.

The feature “Previous versions” is unfortunately only available on Windows Vista Business, Enterprise and Ultimate versions of Windows Vista.

Where are the “Solutions to install” in Vista?

The error reporting tool Problem reports and solutions in Windows Vista (and also in the upcoming Windows Server 2008) is a great addition from what we saw in error reporting in Windows XP. All application, system and driver crashes as well as compatibility problems and missing driver information is listed in this new control panel for error reports and is sent to Microsoft for analysis. Sometimes, much more frequently than Windows XP, there are solutions available. The check for a solution is done instantly when a crash occur in an application or a Windows component but you can also manually check every now and then to see if there are any solutions to the problems you have experienced.

Today Windows Explorer crashed on me and it instantly pointed me to the solution, downloading and installing hotfix KB941648, which is the newly released update for compatibility, reliability and stability in Windows Vista. While there are direct links to the download location of the hotfix in the solution to this problem I am still waiting for the first “solution to install” to show up in the Problem reports and solution tools. Having the necessary updates sent to you would be a lot more convenient, and as the feature is already there I wonder why no one is using it, Microsoft for one should be using it! Have you had a “solution to install”?

Problem reports and solutions

Do we really need Service Pack 3 for Windows XP?

Today I installed a machine with Windows XP and SP2 integrated. After several visits to Windows Update and a number of restarts later I could count no less than 109 updates all together weighing in at around 245 megabytes. Pretty amazing that there has been more than three years since Microsoft released Service Pack 2, and who knows when Service Pack 3 will be released. First half of 2008 is the expected release date but my guess it will be released slightly after the release of Windows Server 2008 and Windows Vista Service Pack 1 in the March timeframe.

Windows XP with Service Pack 2 has been very stable for a long time so do we really need a Service Pack 3? Even though SP3 contain around 1000 bug fixes it does not contain any bug fixes that I’m affected by and probably not most of you guys. Instead SP3 will provide updates on technologies such as Windows Installer, remote desktop client, and other base features of Windows also providing support for new features like Network Access Protection. An interesting thing about SP3 is that if you integrate it into an existing Windows XP CD you will be able to install it without providing a product key, just like Windows Vista!

Vista SP1 installations fail with error code C004F013

The first time I installed Windows Vista Service Pack 1 beta on my work laptop it seemed to install fine, but after logging in for the first time it wanted me to activate Vista to be able to continue. Strange I thought and of course I tried to activate it since our MAK key was in the image already. But instead of activating Vista the computer would just restart and the SP1 installation was reverted and the installation eventually was pronounced as failed with error code C004F013. I tried installing SP1 again and then it was installed successfully.

After doing another Vista deployment and installing SP1 I found out that the exact same thing happened again, and then again on another machine. I then filed it as a bug on Connect as the problem was also occuring with the standalone version as well as the one from Windows Update. Microsoft has now implemented a workaround for the problem but they are still working on finding the origin of the problem to be able to provide a solid solution to the problem.

I must really say that I’m impressed by Microsoft as they have been very professional and helpful in resolving the Service Pack 1 issues I’ve reported.

Tagging files in Vista leaves a lot to wish for

Windows Vista has built in functionality for letting users tag files with keywords and other metadata, making it lot easier to find. You can then create “virtual folders” based on saved searches for explicit keywords of the files you have tagged, having different virtual folders for different projects for instance. The only letdown is that you are only able to tag a few file formats and those are:

  • Microsoft Office Word, Excel, PowerPoint and Access files.
  • Windows Media Audio and Windows Media Video files.
  • TIFF and JPEG files.
  • MP3 files.
  • XPS, Microsofts replacement for PDF.
  • MSI installer files. (Yes Windows Vista support MSI files tags but this is in practice not very usable at all.)

As you can see this leaves a lot of file formats to wish for. For this excellent feature of Vista to be really useful I would like to be able to tag PDF files, PNG image files, favorites, web files and much more. One problem though is that the metadata and tags are stored in the actual files, not in alternate data streams on the file system itself. The advantage of this is that you can be sure that the metadata will always stick with the file if you move it or send it to someone via email.

I have during the beta testing of Vista tried to find out more about how this file tagging actually works and why more formats are not supported. I mean PDF files can contain tags and comments, what is stopping Adobe or Microsoft from making Vista tags work with PDF files? Sadly Service Pack 1 seems to make no changes at all regarding the ability to tags files. If anyone have more information about tagging files in Vista please leave a comment!

Vista SP1 change causes Kerberos problems

After installing SP1 I can no longer access my network shares which contain my Documents. After contacting Microsoft they have concluded that there actually is a change in the way Windows Vista SP1 handle Kerberos communication. The changes affect only when you use Active Directory to store accounts which is then mapped using altSecurityIdentity to use the password from an external Kerberos server. In my case we are using a Heimdal Kerberos server but the problem might affect users of MIT Kerberos as well. Logging in to the Windows system itself is not a problem, the only problem seems to be when accessing file shares (using CIFS).

Until the Heimdal Kerberos is patched to solve this problem there is a work around for the problem. On the client computer you have to add a registry key with your domain name and then add a REG_SZ value named “SpnMappings” with the value “.your.domain.com” in the registry key below:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ 
Kerberos\HostToRealm\YOUR.DOMAIN.COM

After restarting the computer you can access the network share as expected.

Manage ActiveX controls with GPOs in Vista

As you might know there is no good way to control the installation or blocking of ActiveX controls for standard user accounts. Windows Vista introduces a cure to this, and it is called ActiveX Installer Service. This service is not installed by default but can be found in Programs and Features > Turn Windows features on or off. I recommend that you add this component using an unattended answer file in corporate environments. Once installed you can control if a standard user should be able to install certain ActiveX controls or not. I have not found any good step-by-step guides for configuring this so here it comes:

1. When you go to a web site and try to install an ActiveX control, an event is logged in the event viewer specifying the exact origin and http or https address where the ActiveX control resides.

2. Enter the address you found above in the group policy setting “Approved Installation Sites for ActiveX Controls” found in Computer configuration\Administrative templates\Windows Components\ActiveX Installer Service with the additional settings for example 2,2,0,0.

To allow for instance the Windows Genuine Advantage to be allowed to be installed by a regular user you can add the address http://download.microsoft.com with 2,2,0,0. Now you can refresh the policy on your test computer and go to Microsoft Download Center and there try to validate and install the WGA ActiveX control as a regular user account without administrative privileges. Voilà!